Data Protection - Can You Afford Not To Comply?

 

In April 2010 the Information Commissioner (who is responsible for enforcing data protection legislation) was given greater enforcement powers to deal with businesses and organisations which contravened Data Protection principles. Following a review of the legal framework and the implementation of penalty notices the Information Commissioner (“ICO”) is now permitted to issue a monetary penalty of up to £500,000, thus illustrating that any serious breach of the Data Protection principles will result in a significant punishment.

 

However, should these revised enforcement powers cause concern? Should businesses and organisations be reviewing their data protection polices and procedures? The Information Commissioner’s annual report for 2010/ 2011 issued in April 2011 confirms that in this 12 month period the ICO has issued a number of penalty notices to organisations following a variety investigations and prosecutions.  

 

The Information Commissioner has issued 4 monetary penalty notices against local authorities and limited companies. These fines were imposed for serious breaches of Data Protection principles; fax addressing errors and reported losses of unencrypted laptops with extensive databases. In addition, to these significant penalties 44 data protection undertakings were obtained, 5 prosecutions were issued and 2 freedom of information enforcement notices imposed. It is expected that the number of penalty notices served and prosecutions brought will increase. For this reason it is essential for all businesses to be aware of their requirements and the Information Commissioners enforcement powers.

 

 

A business that has control of personal data (in DPA jargon a “data controller”) will be guilty under if they act deliberately to contravene the DPA. For example, if a company sold their database to a third party knowing that they had not obtained the consent of the individuals whose data they were selling. 

 

However, businesses can also be guilty if they must have known or ought to have known that there was a risk that they were in contravention of the DPA. This will include businesses that act negligently or don’t take reasonable steps to comply with the DPA. It is interesting to remember that this legislation is a result of the number of high profile data losses by government departments, banks and retailers which occurred a couple of years ago. It appears that if the same circumstances occurred now that the Information Commissioner would be using the new powers to impose fines on these organisations. 

 

 

Before the Information Commissioner can issue a fine, he must first send a notice of intent to the data controller. This will set out proposed amount of the fine. The data controller then has the opportunity to make written representations to the Information Commissioner, for example, to explain the reasonable steps that they did take to comply with the DPA.   As a result of receiving the representations the Information Commissioner may decide to take no further action or he may issue a monetary penalty notice, which will specify the fine imposed.

 

The ability to issue fines is intended to promote compliance with the DPA. In deciding the level of the monetary penalty the Information Commissioner will consider the sector (for example if the data controller is a voluntary organisation), the size and financial resources of the data controller. 

 

A monetary penalty notice will only be issued to the business or organisation that is registered with the Information Commissioner as the data controller. If the data loss has been caused by the actions of an individual, for example an employee or consultant, the monetary penalty notice will be sent to the data controller that they work for.  This highlights the importance of ensuring that employees are trained on the DPA and understand the procedures the business has in place for complying with it.

 

If a data controller employs another business to process data for them (known as a “data processor”) then it will be the data controller who will receive the monetary penalty notice even if the data loss was caused by the actions of the data processor. Only if the data controller can show that they had an appropriate written contract with the data processor and monitored compliance with that agreement will they be able to escape liability. If a business employs another company to do their payroll, host their e-commerce website or send out marketing to consumers then they must ensure that they have a written contract and regularly monitor performance of the data processor.

 

 

In a well managed organisation there should already be in place a policy and if so this should be followed.  The Information Commissioner’s Office has published helpful guidance which can be found easily on www.ico.gov.uk. This identifies four main elements to any breach management plan:

 

1. Containment and recovery

2. Assessment of ongoing risk

3. Notification of breach

4. Evaluation and response

 

In most cases the most difficult issue to address will be notification of the breach to the ICO. Whether or not there is a "strict" legal obligation to report security breaches and data loss to the ICO and people affected has been a source of considerable debate among data protection practitioners. 

 

Whilst the ICO guidance on the one hand states there is no legal obligation on data controllers to report breaches, the Information Commissioner has published a press release in which the ICO is warning that organisations may face tougher sanctions if they fail to report security breaches which subsequently come to light, warning “those that try to cover up breaches which we subsequently become aware of are likely to face tougher regulatory sanctions."

 

Whilst this may be thought to suggest that notification is always the best policy, a business should be aware that being up front and reporting a breach could give the ICO all the evidence they need to justify imposing a fine.

 

So, whether to notify or not is a crucial question and one in respect of which the answer will depend on the specific facts of each individual case. Businesses would be well advised to seek expert professional advice on this issue, particularly if the breach is serious.

 

In order to avoid a monetary penalty notice dropping on your desk, businesses should take immediate steps to review their data protection policies and procedures. Key areas to be considered include staff training, putting in place contracts with data processors monitoring these effectively, and encrypting personal data when it is transferred outside of the business’ premises. In particular policies should include a full consideration of the four main elements of a breach management plan.